samba3upgrade migration results, issues, questions

Andrew Bartlett abartlet at samba.org
Tue May 1 21:30:01 MDT 2012


On Tue, 2012-04-24 at 16:22 +0400, Sergey Urushkin wrote:
> 
> 24.04.2012 12:09, Andrew Bartlett написал:
> > On Mon, 2012-04-23 at 16:42 +0400, Sergey Urushkin wrote:
> >> Hi.
> >>
> >>>> 2. All user accounts migrated with their saved passwords, but after
> >>>> migration many (possibly all) users were not able to login. Windows
> >>>> showed message about "not enough resources", kinit didn't work too 
> >>>> with
> >>>> this message:
> >>>>  kinit: krb5_get_init_creds: No ENC-TS found
> >>>> Changing password didn't help, the only thing that helped was:
> >>>>  samba-tool user setexpiry user (with any flag - --days, --noexpiry)
> >>>> But that's not a serious issue because it can be solved by short 
> >>>> shell
> >>>> script. Talking about test migration of the big domain this issue 
> >>>> also
> >>>> exists with rare random users and could be solved the same way.
> >>> I think this may simply be an issue with the upgrade of the maxPwdAge
> >>> policy from S3.  Can you try the attached patch?
> >> Tried it (I see it's already in the master). With the small domain tdbs
> >> nothing is changed. With the big domain at least one account is ok now,
> >> but administrator is still affected.
> >>
> >> Here is administrator's openldap data before migration:
> >>
> >> dn: uid=Administrator,....
> >> objectClass: top
> >> objectClass: inetOrgPerson
> >> objectClass: posixAccount
> >> objectClass: shadowAccount
> >> objectClass: sambaSamAccount
> >> objectClass: krb5Principal
> >> objectClass: krb5KDCEntry
> >> cn: Administrator
> >> sn: Administrator
> >> uid: Administrator
> >> gidNumber: 512
> >> homeDirectory: /home/Administrator
> >> loginShell: /bin/bash
> >> description: Built-in account for administering the computer/domain
> >> sambaSID: S-1-5-21-1234567890-1234567890-1234567890-500
> >> sambaPrimaryGroupSID: S-1-5-21-1234567890-1234567890-1234567890-512
> >> displayName:: 0JDQtNC80LjQvdC40YHRgtGA0LDRgtC+0YAg0YHQtdGC0Lg=
> >> sambaPasswordHistory:
> >> 00000000000000000000000000000000000000000000000000000000
> >>  00000000
> >> krb5PrincipalName: Administrator at TELROS.RU
> >> krb5KDCFlags: 126
> >> gecos: Administrator
> >> sambaKickoffTime: 1999999999
> >> sambaHomePath: \\fsrv\home
> >> sambaPwdMustChange: 1325408428
> >> sambaPwdLastSet: 1322816429
> >> sambaLMPassword: xxxxxxx
> >> sambaNTPassword: xxxxxxx
> >> krb5KeyVersionNumber: 15
> >> krb5Key:: xxx
> >> krb5Key:: xxx
> >> uidNumber: 500
> >> sambaAcctFlags: [UX         ]
> >> sambaBadPasswordCount: 0
> >> sambaBadPasswordTime: 0
> > For the administrator, because it is a default AD account, we do not
> > import it, but instead we simply bring across the password (only).  That
> > means we will not bring across the 'password does not expire' flag, but
> > the password should be valid for as long as the expiry.
> Alright, but many users in the migrated small domain are not 'well
> known' and do have this problem.
> I can send you the small domain tdbs if it would help.
> About the big domain. I used this script to check how many accounts
> beginning  with 'a' are bad in just migrated domain.
> 
> for i in `samba-tool user list | grep ^a` ;do
>     samba-tool user setpassword --newpassword=111111 $i > /dev/null
>     echo 111111 | kinit --password-file=STDIN $i || echo $i
> done
> 
> According to it about a half of them are affected. Here is
> openldap-samba data for one of them:
> sambaLogonScript: netlogon.bat
> sambaSID: S-1-5-21-530720856-2058831417-1202159320-1968
> sambaPrimaryGroupSID: S-1-5-21-530720856-2058831417-1202159320-513
> sambaPasswordHistory:
> 00000000000000000000000000000000000000000000000000000000
> sambaAcctFlags: [U          ]
> sambaBadPasswordCount: 0
> sambaBadPasswordTime: 0
> sambaKickoffTime: 1999999999
> sambaHomePath: \\fsrv\home
> sambaPwdMustChange: 1335676980
> sambaPwdLastSet: 1333084981
> sambaLMPassword: ea70ccc05b2b2d890000000000000000
> sambaNTPassword: d460c18f7a68e2b049468d1aea8e70e5

What does a working account look like?

I don't see anything particularly wrong offhand, but I'll keep looking
into it.  

> I can see (timestamps) that password shouldn't be expired.
> 
> >   What expiry
> > time did you have in your old domain?
> small - never. big - 30 days.
> >> Also, I seemed another problem (which didn't exist earlier) about
> >> samba3upgrade. No group membership (except "domain users") is migrated.
> >> I can see many messages like this:
> >> Ignoring group 'groupname'
> >> S-1-5-21-1234567890-1234567890-1234567890-1423 listed but then not
> >> found: <class 'passdb.error'>
> >>
> >> And no errors after "Adding users to groups"
> >>
> >> I do have members in my openldap groups (memberUid attributes).
> > The issue here is that Samba4 simply can't see them.  What version of
> > Samba 3.x are you upgrading from?
> small - 3.0. big - 3.5.
> >
> > What do the groups look like in the directory?
> dn: cn=somegroup,ou=Groups,ou=Samba,ou=Services,dc=telros,dc=ru
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> cn: somegroup
> gidNumber: 1604
> sambaSID: S-1-5-21-530720856-2058831417-1202159320-1581
> sambaGroupType: 2
> displayName: somegroup
> description: tttttttt
> memberUid: user1
> memberUid: user2
> memberUid: user3
> memberUid: user4

OK, thanks.  We should be able import that - it is a normal domain
group.
		SID_NAME_DOM_GRP  = 2, /* domain group */

> >
> > This is a recurring issue, and a large number of people have difficulty
> > upgrading LDAP groups for some reason.  We may need to find another way
> > to read the group list (we can bind directly to LDAP, rather than via
> > the samba3 passdb code if need be).
> A temporary solution would be to add script that imports ldap groups
> using 'getent group' to the wiki (similar to that about unix groups or
> just called 'before you begin - save all your group information to a file').
> I solve it this way.\

Attached is an alternate approach that may solve your issue.  If you can
test it for me, I would very much appreciate it.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-pypassdb-remove-unused-variable.patch
Type: text/x-patch
Size: 862 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120502/ab6b4dbf/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s3-pypassdb-add-wrapper-for-enum_group_memberships.patch
Type: text/x-patch
Size: 2909 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120502/ab6b4dbf/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-s4-s3upgrade-Try-harder-to-get-group-memberships-on-.patch
Type: text/x-patch
Size: 4297 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120502/ab6b4dbf/attachment-0002.bin>


More information about the samba-technical mailing list